pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2019Q3]: pkgsrc/sysutils Pullup ticket #6104 - requested by bo...
details: https://anonhg.NetBSD.org/pkgsrc/rev/10ec599ee9e9
branches: pkgsrc-2019Q3
changeset: 345717:10ec599ee9e9
user: bsiegert <bsiegert%pkgsrc.org@localhost>
date: Mon Dec 16 13:51:58 2019 +0000
description:
Pullup ticket #6104 - requested by bouyer
sysutils/xenkernel411, sysutils/xentools411: security fix
Revisions pulled up:
- sysutils/xenkernel411/Makefile 1.12
- sysutils/xenkernel411/distinfo 1.9
- sysutils/xenkernel411/patches/patch-XSA298 deleted
- sysutils/xenkernel411/patches/patch-XSA299 deleted
- sysutils/xenkernel411/patches/patch-XSA302 deleted
- sysutils/xenkernel411/patches/patch-XSA304 deleted
- sysutils/xenkernel411/patches/patch-XSA305 deleted
- sysutils/xenkernel411/patches/patch-XSA306 deleted
- sysutils/xenkernel411/patches/patch-XSA307 1.1
- sysutils/xenkernel411/patches/patch-XSA308 1.1
- sysutils/xenkernel411/patches/patch-XSA309 1.1
- sysutils/xenkernel411/patches/patch-XSA310 1.1
- sysutils/xenkernel411/patches/patch-XSA311 1.1
- sysutils/xentools411/Makefile 1.12
- sysutils/xentools411/distinfo 1.8
---
Module Name: pkgsrc
Committed By: bouyer
Date: Fri Dec 13 13:44:21 UTC 2019
Modified Files:
pkgsrc/sysutils/xenkernel411: Makefile distinfo
pkgsrc/sysutils/xentools411: Makefile distinfo
Added Files:
pkgsrc/sysutils/xenkernel411/patches: patch-XSA307 patch-XSA308
patch-XSA309 patch-XSA310 patch-XSA311
Removed Files:
pkgsrc/sysutils/xenkernel411/patches: patch-XSA298 patch-XSA299
patch-XSA302 patch-XSA304 patch-XSA305 patch-XSA306
Log Message:
Update xenkernel411 to 4.11.3nb1, and xentools411 to 4.11.3
(PKGREVISION not reset on xenkernel411 on purpose, to enphasis that it's
not a stock Xen 4.11.3 kernel).
Changes since 4.11.2:
- includes all security patches up to XSA306
- other minor bug fixes, hardware support and performances improvements
In addition, xenkernel411 includes all security patches released since 4.11.3,
up to XSA311
diffstat:
sysutils/xenkernel411/Makefile | 6 +-
sysutils/xenkernel411/distinfo | 21 +-
sysutils/xenkernel411/patches/patch-XSA298 | 89 -
sysutils/xenkernel411/patches/patch-XSA299 | 2413 ----------------------------
sysutils/xenkernel411/patches/patch-XSA302 | 537 ------
sysutils/xenkernel411/patches/patch-XSA304 | 481 -----
sysutils/xenkernel411/patches/patch-XSA305 | 482 -----
sysutils/xenkernel411/patches/patch-XSA306 | 69 -
sysutils/xenkernel411/patches/patch-XSA307 | 101 +
sysutils/xenkernel411/patches/patch-XSA308 | 76 +
sysutils/xenkernel411/patches/patch-XSA309 | 60 +
sysutils/xenkernel411/patches/patch-XSA310 | 348 ++++
sysutils/xenkernel411/patches/patch-XSA311 | 189 ++
sysutils/xentools411/Makefile | 4 +-
sysutils/xentools411/distinfo | 10 +-
15 files changed, 794 insertions(+), 4092 deletions(-)
diffs (truncated from 4967 to 300 lines):
diff -r 5ae900e79294 -r 10ec599ee9e9 sysutils/xenkernel411/Makefile
--- a/sysutils/xenkernel411/Makefile Mon Dec 16 13:12:31 2019 +0000
+++ b/sysutils/xenkernel411/Makefile Mon Dec 16 13:51:58 2019 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.8.2.2 2019/12/07 19:10:08 bsiegert Exp $
+# $NetBSD: Makefile,v 1.8.2.3 2019/12/16 13:51:58 bsiegert Exp $
-VERSION= 4.11.2
-PKGREVISION= 3
+VERSION= 4.11.3
+PKGREVISION= 1
DISTNAME= xen-${VERSION}
PKGNAME= xenkernel411-${VERSION}
CATEGORIES= sysutils
diff -r 5ae900e79294 -r 10ec599ee9e9 sysutils/xenkernel411/distinfo
--- a/sysutils/xenkernel411/distinfo Mon Dec 16 13:12:31 2019 +0000
+++ b/sysutils/xenkernel411/distinfo Mon Dec 16 13:51:58 2019 +0000
@@ -1,16 +1,15 @@
-$NetBSD: distinfo,v 1.5.2.2 2019/12/07 19:10:08 bsiegert Exp $
+$NetBSD: distinfo,v 1.5.2.3 2019/12/16 13:51:58 bsiegert Exp $
-SHA1 (xen411/xen-4.11.2.tar.gz) = 82766db0eca7ce65962732af8a31bb5cce1eb7ce
-RMD160 (xen411/xen-4.11.2.tar.gz) = 6dcb1ac3e72381474912607b30b59fa55d87d38b
-SHA512 (xen411/xen-4.11.2.tar.gz) = 48d3d926d35eb56c79c06d0abc6e6be2564fadb43367cc7f46881c669a75016707672179c2cca1c4cfb14af2cefd46e2e7f99470cddf7df2886d8435a2de814e
-Size (xen411/xen-4.11.2.tar.gz) = 25164925 bytes
+SHA1 (xen411/xen-4.11.3.tar.gz) = 2d77152168d6f9dcea50db9cb8e3e6a0720a4a1b
+RMD160 (xen411/xen-4.11.3.tar.gz) = cfb2e699842867b60d25a01963c564a6c5e580da
+SHA512 (xen411/xen-4.11.3.tar.gz) = 2204e490e9fc357a05983a9bf4e7345e1d364fe00400ce473988dcb9ca7d4e2b921fe10f095cbbc64248130a92d22c6f0d154dcae250a57a7f915df32e3dc436
+Size (xen411/xen-4.11.3.tar.gz) = 25180826 bytes
SHA1 (patch-Config.mk) = 9372a09efd05c9fbdbc06f8121e411fcb7c7ba65
-SHA1 (patch-XSA298) = 63e0f96ce3b945b16b98b51b423bafec14cf2be6
-SHA1 (patch-XSA299) = beb7ba1a8f9e0adda161c0da725ff053e674067e
-SHA1 (patch-XSA302) = 12fbb7dfea27f53c70c8115487a2e30595549c2b
-SHA1 (patch-XSA304) = f2c22732227e11a3e77c630f0264a689eed53399
-SHA1 (patch-XSA305) = eb5e0096cbf501fcbd7a5c5f9d1f932b557636b6
-SHA1 (patch-XSA306) = f57201b2ae5f6435ce6ba3c6aac3e9e10cdba3fb
+SHA1 (patch-XSA307) = afd88b8294b0dbbc32e1d1aa74eb887d2da6695a
+SHA1 (patch-XSA308) = bda9ef732e0b6578ce8f7f0f7aa0a4189da41e86
+SHA1 (patch-XSA309) = 78cf7306e9d1efcbf2ebf425025d46948ae83019
+SHA1 (patch-XSA310) = 77b711f4b75de1d473a6988eb6f2b48e37cc353a
+SHA1 (patch-XSA311) = 4d3e6cc39c2b95cb3339961271df2bc885667927
SHA1 (patch-xen_Makefile) = 465388d80de414ca3bb84faefa0f52d817e423a6
SHA1 (patch-xen_Rules.mk) = c743dc63f51fc280d529a7d9e08650292c171dac
SHA1 (patch-xen_arch_x86_Rules.mk) = 0bedfc53a128a87b6a249ae04fbdf6a053bfb70b
diff -r 5ae900e79294 -r 10ec599ee9e9 sysutils/xenkernel411/patches/patch-XSA298
--- a/sysutils/xenkernel411/patches/patch-XSA298 Mon Dec 16 13:12:31 2019 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,89 +0,0 @@
-$NetBSD: patch-XSA298,v 1.2.2.2 2019/11/16 22:10:07 bsiegert Exp $
-
-From: Jan Beulich <jbeulich%suse.com@localhost>
-Subject: x86/PV: check GDT/LDT limits during emulation
-
-Accesses beyond the LDT limit originating from emulation would trigger
-the ASSERT() in pv_map_ldt_shadow_page(). On production builds such
-accesses would cause an attempt to promote the touched page (offset from
-the present LDT base address) to a segment descriptor one. If this
-happens to succeed, guest user mode would be able to elevate its
-privileges to that of the guest kernel. This is particularly easy when
-there's no LDT at all, in which case the LDT base stored internally to
-Xen is simply zero.
-
-Also adjust the ASSERT() that was triggering: It was off by one to
-begin with, and for production builds we also better use
-ASSERT_UNREACHABLE() instead with suitable recovery code afterwards.
-
-This is XSA-298.
-
-Reported-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
-Signed-off-by: Jan Beulich <jbeulich%suse.com@localhost>
-Reviewed-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
-
---- xen/arch/x86/pv/emul-gate-op.c.orig
-+++ xen/arch/x86/pv/emul-gate-op.c
-@@ -51,7 +51,13 @@ static int read_gate_descriptor(unsigned
- const struct desc_struct *pdesc = gdt_ldt_desc_ptr(gate_sel);
-
- if ( (gate_sel < 4) ||
-- ((gate_sel >= FIRST_RESERVED_GDT_BYTE) && !(gate_sel & 4)) ||
-+ /*
-+ * We're interested in call gates only, which occupy a single
-+ * seg_desc_t for 32-bit and a consecutive pair of them for 64-bit.
-+ */
-+ ((gate_sel >> 3) + !is_pv_32bit_vcpu(v) >=
-+ (gate_sel & 4 ? v->arch.pv_vcpu.ldt_ents
-+ : v->arch.pv_vcpu.gdt_ents)) ||
- __get_user(desc, pdesc) )
- return 0;
-
-@@ -70,7 +76,7 @@ static int read_gate_descriptor(unsigned
- if ( !is_pv_32bit_vcpu(v) )
- {
- if ( (*ar & 0x1f00) != 0x0c00 ||
-- (gate_sel >= FIRST_RESERVED_GDT_BYTE - 8 && !(gate_sel & 4)) ||
-+ /* Limit check done above already. */
- __get_user(desc, pdesc + 1) ||
- (desc.b & 0x1f00) )
- return 0;
---- xen/arch/x86/pv/emulate.c.orig
-+++ xen/arch/x86/pv/emulate.c
-@@ -31,7 +31,14 @@ int pv_emul_read_descriptor(unsigned int
- {
- struct desc_struct desc;
-
-- if ( sel < 4)
-+ if ( sel < 4 ||
-+ /*
-+ * Don't apply the GDT limit here, as the selector may be a Xen
-+ * provided one. __get_user() will fail (without taking further
-+ * action) for ones falling in the gap between guest populated
-+ * and Xen ones.
-+ */
-+ ((sel & 4) && (sel >> 3) >= v->arch.pv_vcpu.ldt_ents) )
- desc.b = desc.a = 0;
- else if ( __get_user(desc, gdt_ldt_desc_ptr(sel)) )
- return 0;
---- xen/arch/x86/pv/mm.c.orig
-+++ xen/arch/x86/pv/mm.c
-@@ -92,12 +92,16 @@ bool pv_map_ldt_shadow_page(unsigned int
- BUG_ON(unlikely(in_irq()));
-
- /*
-- * Hardware limit checking should guarantee this property. NB. This is
-+ * Prior limit checking should guarantee this property. NB. This is
- * safe as updates to the LDT can only be made by MMUEXT_SET_LDT to the
- * current vcpu, and vcpu_reset() will block until this vcpu has been
- * descheduled before continuing.
- */
-- ASSERT((offset >> 3) <= curr->arch.pv_vcpu.ldt_ents);
-+ if ( unlikely((offset >> 3) >= curr->arch.pv_vcpu.ldt_ents) )
-+ {
-+ ASSERT_UNREACHABLE();
-+ return false;
-+ }
-
- if ( is_pv_32bit_domain(currd) )
- linear = (uint32_t)linear;
diff -r 5ae900e79294 -r 10ec599ee9e9 sysutils/xenkernel411/patches/patch-XSA299
--- a/sysutils/xenkernel411/patches/patch-XSA299 Mon Dec 16 13:12:31 2019 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,2413 +0,0 @@
-$NetBSD: patch-XSA299,v 1.1.2.2 2019/11/16 22:10:07 bsiegert Exp $
-
-From 852df269d247e177d5f2e9b8f3a4301a6fdd76bd Mon Sep 17 00:00:00 2001
-From: George Dunlap <george.dunlap%citrix.com@localhost>
-Date: Thu, 10 Oct 2019 17:57:49 +0100
-Subject: [PATCH 01/11] x86/mm: L1TF checks don't leave a partial entry
-
-On detection of a potential L1TF issue, most validation code returns
--ERESTART to allow the switch to shadow mode to happen and cause the
-original operation to be restarted.
-
-However, in the validation code, the return value -ERESTART has been
-repurposed to indicate 1) the function has partially completed
-something which needs to be undone, and 2) calling put_page_type()
-should cleanly undo it. This causes problems in several places.
-
-For L1 tables, on receiving an -ERESTART return from alloc_l1_table(),
-alloc_page_type() will set PGT_partial on the page. If for some
-reason the original operation never restarts, then on domain
-destruction, relinquish_memory() will call free_page_type() on the
-page.
-
-Unfortunately, alloc_ and free_l1_table() aren't set up to deal with
-PGT_partial. When returning a failure, alloc_l1_table() always
-de-validates whatever it's validated so far, and free_l1_table()
-always devalidates the whole page. This means that if
-relinquish_memory() calls free_page_type() on an L1 that didn't
-complete due to an L1TF, it will call put_page_from_l1e() on "page
-entries" that have never been validated.
-
-For L2+ tables, setting rc to ERESTART causes the rest of the
-alloc_lN_table() function to *think* that the entry in question will
-have PGT_partial set. This will cause it to set partial_pte = 1. If
-relinqush_memory() then calls free_page_type() on one of those pages,
-then free_lN_table() will call put_page_from_lNe() on the entry when
-it shouldn't.
-
-Rather than indicating -ERESTART, indicate -EINTR. This is the code
-to indicate that nothing has changed from when you started the call
-(which is effectively how alloc_l1_table() handles errors).
-
-mod_lN_entry() shouldn't have any of these types of problems, so leave
-potential changes there for a clean-up patch later.
-
-This is part of XSA-299.
-
-Reported-by: George Dunlap <george.dunlap%citrix.com@localhost>
-Signed-off-by: George Dunlap <george.dunlap%citrix.com@localhost>
-Reviewed-by: Jan Beulich <jbeulich%suse.com@localhost>
----
- xen/arch/x86/mm.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
-index e6a4cb28f8..8ced185b49 100644
---- xen/arch/x86/mm.c.orig
-+++ xen/arch/x86/mm.c
-@@ -1110,7 +1110,7 @@ get_page_from_l2e(
- int rc;
-
- if ( !(l2e_get_flags(l2e) & _PAGE_PRESENT) )
-- return pv_l1tf_check_l2e(d, l2e) ? -ERESTART : 1;
-+ return pv_l1tf_check_l2e(d, l2e) ? -EINTR : 1;
-
- if ( unlikely((l2e_get_flags(l2e) & L2_DISALLOW_MASK)) )
- {
-@@ -1142,7 +1142,7 @@ get_page_from_l3e(
- int rc;
-
- if ( !(l3e_get_flags(l3e) & _PAGE_PRESENT) )
-- return pv_l1tf_check_l3e(d, l3e) ? -ERESTART : 1;
-+ return pv_l1tf_check_l3e(d, l3e) ? -EINTR : 1;
-
- if ( unlikely((l3e_get_flags(l3e) & l3_disallow_mask(d))) )
- {
-@@ -1175,7 +1175,7 @@ get_page_from_l4e(
- int rc;
-
- if ( !(l4e_get_flags(l4e) & _PAGE_PRESENT) )
-- return pv_l1tf_check_l4e(d, l4e) ? -ERESTART : 1;
-+ return pv_l1tf_check_l4e(d, l4e) ? -EINTR : 1;
-
- if ( unlikely((l4e_get_flags(l4e) & L4_DISALLOW_MASK)) )
- {
-@@ -1404,7 +1404,7 @@ static int alloc_l1_table(struct page_info *page)
- {
- if ( !(l1e_get_flags(pl1e[i]) & _PAGE_PRESENT) )
- {
-- ret = pv_l1tf_check_l1e(d, pl1e[i]) ? -ERESTART : 0;
-+ ret = pv_l1tf_check_l1e(d, pl1e[i]) ? -EINTR : 0;
- if ( ret )
- goto out;
- }
---
-2.23.0
-
-From 6bdddd7980eac0cc883945d823986f24682ca47a Mon Sep 17 00:00:00 2001
-From: George Dunlap <george.dunlap%citrix.com@localhost>
-Date: Thu, 10 Oct 2019 17:57:49 +0100
-Subject: [PATCH 02/11] x86/mm: Don't re-set PGT_pinned on a partially
- de-validated page
-
-When unpinning pagetables, if an operation is interrupted,
-relinquish_memory() re-sets PGT_pinned so that the un-pin will
-pickedup again when the hypercall restarts.
-
-This is appropriate when put_page_and_type_preemptible() returns
--EINTR, which indicates that the page is back in its initial state
-(i.e., completely validated). However, for -ERESTART, this leads to a
-state where a page has both PGT_pinned and PGT_partial set.
-
-This happens to work at the moment, although it's not really a
-"canonical" state; but in subsequent patches, where we need to make a
-distinction in handling between PGT_validated and PGT_partial pages,
-this causes issues.
-
-Move to a "canonical" state by:
-- Only re-setting PGT_pinned on -EINTR
-- Re-dropping the refcount held by PGT_pinned on -ERESTART
-
-In the latter case, the PGT_partial bit will be cleared further down
-with the rest of the other PGT_partial pages.
-
-While here, clean up some trainling whitespace.
-
-This is part of XSA-299.
-
-Reported-by: George Dunlap <george.dunlap%citrix.com@localhost>
-Signed-off-by: George Dunlap <george.dunlap%citrix.com@localhost>
-Reviewed-by: Jan Beulich <jbeulich%suse.com@localhost>
----
- xen/arch/x86/domain.c | 31 ++++++++++++++++++++++++++++---
- 1 file changed, 28 insertions(+), 3 deletions(-)
-
-diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c
-index 29f892c04c..8fbecbb169 100644
---- xen/arch/x86/domain.c.orig
-+++ xen/arch/x86/domain.c
-@@ -112,7 +112,7 @@ static void play_dead(void)
- * this case, heap corruption or #PF can occur (when heap debugging is
- * enabled). For example, even printk() can involve tasklet scheduling,
- * which touches per-cpu vars.
-- *
-+ *
- * Consider very carefully when adding code to *dead_idle. Most hypervisor
- * subsystems are unsafe to call.
- */
-@@ -1838,9 +1838,34 @@ static int relinquish_memory(
- break;
- case -ERESTART:
- case -EINTR:
-+ /*
-+ * -EINTR means PGT_validated has been re-set; re-set
-+ * PGT_pinned again so that it gets picked up next time
-+ * around.
-+ *
-+ * -ERESTART, OTOH, means PGT_partial is set instead. Put
-+ * it back on the list, but don't set PGT_pinned; the
-+ * section below will finish off de-validation. But we do
Home |
Main Index |
Thread Index |
Old Index